Vulnerability Reporting

Security is fundamental to Lightrail.

We offer a $100–$500 USD bounty depending upon severity for any security vulnerability we can verify that has not already been reported. Payouts are made via a digital Amazon gift card, unfortunately we cannot substitute the payout with a different method.

In order to be eligible, vulnerabilities must be emailed to bugs@lightrail.com without public mention, and with the following information:

  1. A brief overview and description of the vulnerability and potential impact of an exploit.
  2. Exact reproduction steps that can be carried out by our engineering team.

We do not currently have an externally visible list of submitted bugs or paid bounties. If your report or reproduction steps are time-consuming, please pre-submit a brief summary first for a duplication check.

While we appreciate reports of common user experience bugs, only security vulnerabilities are bounty eligible. Multiple instances of the same vulnerability, if found, are only eligible for a single bounty.

Successfully reproduced vulnerabilities will be paid out within 60 days. You will be informed via email once the team has reviewed your submission.